Bug #30754
openKatello install with custom CA fails to verify the full CA chain
Description
When attempting a new katello install with custom CA, Smart Proxy breaks. I have also tried completing basic katello install without custom certs which does install successfully, however, later updating the certs with custom CA also breaks the Smart Proxy. In both scenarios, after installing certs from custom CA, the websocket/web-console has a "good" certificate and works as expected, however, smart proxy is broken.
Commands being run:
- katello-certs-check -c /root/certs/myserver.crt -k /root/certs/myserver-d.key -b /etc/pki/tls/certs/ROOTCA-CA_2019.crt
- foreman-installer --scenario katello \
--certs-server-cert "/root/certs/myserver.crt" \
--certs-server-key "/root/certs/myserver-d.key" \
--certs-server-ca-cert "/etc/pki/tls/certs/ROOTCA-CA_2019.crt" \
--certs-update-server --certs-update-server-ca -v
katello.log attached. Note, the log has been lightly edited to remove any personal data.
You can find more back-story here:
https://community.theforeman.org/t/certificate-setup-failure-with-custom-ca/20190/13?u=barn
Files
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Subject changed from Katello install with custom CA breaks Smart Proxy to Katello install with custom CA fails to verify the full CA chain
We resolved the community one. Turns out the root CA file didn't include the intermediate CA and that failed. I'm updating the subject to reflect that. katello-check-certs should find this and warn the user ahead of time.